Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
895
Views
0
Helpful
2
Replies

Failover PIX VPN certificate replication (SCEP)

Go to solution
sarunas_vance
Level 1
Level 1

‎11-10-2010 07:16 AM - edited ‎02-21-2020 04:58 PM

Hi,

Got a pair of PIX 525's on version 6.3(4)  running in active/failover mode, I have recently configured VPN's  authenticated by certificates, which involved the use of SCEP in order  to get the certificate on to the PIX. The certificates were imported to  the PIX from a Windows CA server with SCEP add-in using the instructions  described here:  http://www.ciscosystems.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html#wp1007263  .

All of this is working fine, the configuration was  saved, the certificates where saved using 'ca save all', everything is  working fine except the certificates that were imported have not been  replicated to the failover PIX - the command 'show ca certificate', does  not show any certs.

The private keys shown by 'sh ca mypubkey rsa' are the same on both devices.

I'm  not able to find any documentation regarding how the certificates  should be replicated to the failover PIX, and it is not possible to  enroll the certificates again on the failover PIX using the commands  they have initially been imported by:

pix-fw# conf t
**** WARNING ***
         Configuration Replication is NOT performed from Standby unit to Active unit.
         Configurations are no longer synchronized.

pix-fw(config)# ca auth ca
**** WARNING ***
         Configuration Replication is NOT performed from Standby unit to Active unit.
         Configurations are no longer synchronized.

Has anyone else experienced similar issue or how to get failover PIX with new ca certificates?

Regards,

Sarunas

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎11-16-2010 01:42 AM

Hi Sarunas

Pix 6 indeed does not sync the keys and certificate automatically.

However you should be able to acomplish this by first forcing a failover (i.e. making the secondary active), then enrolling the (now active) secondary with the CA.

hth

Herbert

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎11-16-2010 01:42 AM

Hi Sarunas

Pix 6 indeed does not sync the keys and certificate automatically.

However you should be able to acomplish this by first forcing a failover (i.e. making the secondary active), then enrolling the (now active) secondary with the CA.

hth

Herbert

0 Helpful

Go to solution
sarunas_vance
Level 1
Level 1
In response to Herbert Baerten

‎11-22-2010 01:23 AM

Hi Herbert,

I have successfully enrolled the certificates on the secondary PIX after I triggered a manual failover.

Thanks for your help!

Sarunas

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents